Jan 28

Problem with Bitlocker


Problem Bitlocker

During a Bitlocker project at a customer I had a problem with the storage of bitlocker recovery key in Active Directory
After you set up group policy which configured the desktop and laptop client (store in AD the recovery key, use tpm,…), I launched the script which enabled BitLocker on the system partition or opther partition. The bitlocker has been actived and partition has crypted, however the recovery key was not stored in the Active Directory. After several tests, I realized that some partition encryption failed (error message when i try to initialize TPM chip) and this randomly.
The project consisted to encrypt partitions systems from a laptop computer to decrypt the partition using the TPM chip.

How to solve the problem ?

Following research on the internet and many unsuccessful attempts, I found and corrected the problem. Following the attempt to initialize the TPM chip, an error message appeared :

Trusted Platform Module (TPM) Initialization failed.
Access is denied.
Error 0x80070005.

An ACL was missing. Indeed I’ve set up a delegation for « Self » at the level of the OU containing the computer account :

  •  Open Active Directory Users and Computers
  • Select the OU where you have computers on which you want to enable bitlocker

Problem Bitlocker

  • Right Click on the OU select Delegate Control
  • Click Next on the first page of the wizard

Problem Bitlocker

  • In the Users and Groups window, add the Self account using the Add button

Problem Bitlocker

  • Select option « Create a custom task to delegate »

Problem Bitlocker

  • Click on the radio button « Only the following objects in the folder » and select « Computer Objects »

Problem Bitlocker

  • On Permissions Windows, select select all 3 checkbox and select attributes « Write msTPM-OwnerInformation. »

Problem Bitlocker

  • click Next and Finish

Subsequently all the tests were conclusive, TPM chips activated properly and the recovery key was present in the Active Directory.


Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>